self-referential security groups can not be deleted

Bug #956366 reported by Adam Gandelman
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Mark McLoughlin
nova (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Creating security groups that authorize themselves (and probably other groups) cannot be deleted from nova.

To reproduce:

(SIDE NOTE: I couldn't get euca2ools to create the test case because its using some deprecated authorize_security_group call. To do this, I had to edit 'euca2ools/commands/euca/authorize.py', ln 94 and change 'authorize_security_group_deprecated' to 'authorize_security_group')

adam@amebix:~$ euca-add-group -d testing secgroup_test
GROUP secgroup_test testing
adam@amebix:~$ euca-authorize -p 25 -o secgroup_test secgroup_test
GROUP secgroup_test
PERMISSION secgroup_test ALLOWS tcp 25 25 GRPNAME secgroup_test FROM CIDR 0.0.0.0/0
adam@amebix:~$ euca-describe-groups
GROUP 687ccca5b93f4979829889955e7ea117 default default
PERMISSION 687ccca5b93f4979829889955e7ea117 default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
GROUP 687ccca5b93f4979829889955e7ea117 secgroup_test testing
PERMISSION 687ccca5b93f4979829889955e7ea117 secgroup_test ALLOWS tcp 25 25 GRPNAME secgroup_test
adam@amebix:~$ euca-delete-group secgroup_test
UnknownError: An unknown error has occurred. Please try your request again.

nova-api.log shows:

2012-03-15 12:46:32 ERROR nova.api.ec2 [req-7c56e5e0-0d02-43b1-8a73-157c559c8e19 1f600dd0286e4cdd97bc15b3520d866c 687ccca5b93f4979829889955e7ea117] Unexpected error raised: Group not valid. Reason: In Use
(nova.api.ec2): TRACE: Traceback (most recent call last):
(nova.api.ec2): TRACE: File "/usr/lib/python2.7/dist-packages/nova/api/ec2/__init__.py", line 582, in __call__
(nova.api.ec2): TRACE: result = api_request.invoke(context)
(nova.api.ec2): TRACE: File "/usr/lib/python2.7/dist-packages/nova/api/ec2/apirequest.py", line 81, in invoke
(nova.api.ec2): TRACE: result = method(context, **args)
(nova.api.ec2): TRACE: File "/usr/lib/python2.7/dist-packages/nova/api/ec2/cloud.py", line 812, in delete_security_group
(nova.api.ec2): TRACE: raise exception.InvalidGroup(reason="In Use")
(nova.api.ec2): TRACE: InvalidGroup: Group not valid. Reason: In Use
(nova.api.ec2): TRACE:
2012-03-15 12:46:32 ERROR nova.api.ec2 [req-7c56e5e0-0d02-43b1-8a73-157c559c8e19 1f600dd0

...which is the exception that should be raised when attempting to delete a group with running instances associated, not when other security groups are associated. AFAICS from comparing to AWS, the expected behavior here is to delete all rules referencing this group as well as the original.

Dave Walker (davewalker)
Changed in nova (Ubuntu):
importance: Undecided → High
Changed in nova:
importance: Undecided → High
status: New → Triaged
milestone: none → essex-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5424

Changed in nova:
assignee: nobody → Adam Gandelman (gandelman-a)
status: Triaged → In Progress
Changed in nova:
assignee: Adam Gandelman (gandelman-a) → Vish Ishaya (vishvananda)
Changed in nova:
assignee: Vish Ishaya (vishvananda) → Adam Gandelman (gandelman-a)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/5440

Changed in nova:
assignee: Adam Gandelman (gandelman-a) → Mark McLoughlin (markmc)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/5424
Committed: http://github.com/openstack/nova/commit/dd6c1907c6634ccb41c3d94ed3296498e32333b0
Submitter: Jenkins
Branch: master

commit dd6c1907c6634ccb41c3d94ed3296498e32333b0
Author: Adam Gandelman <email address hidden>
Date: Thu Mar 15 15:38:11 2012 -0700

    db api: Remove check for security groups reference

    security_group_in_use() should only be checking that a security
    group is associated with running instances, not that other groups
    are referencing it in their rules. With this check in place, it
    becomes impossible to delete self-referential security groups.

    Fixes bug 956366.

    Update: Remove obsolete test as well

    Change-Id: I31f49c655b044dbaf0fb66dfaadb876c9dc3d167

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Chuck Short (zulcss)
Changed in nova (Ubuntu):
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/5440
Committed: http://github.com/openstack/nova/commit/5ca931c6d0e3a4759e7392cc7ee5f728d66c182f
Submitter: Jenkins
Branch: master

commit 5ca931c6d0e3a4759e7392cc7ee5f728d66c182f
Author: Mark McLoughlin <email address hidden>
Date: Thu Mar 15 22:52:49 2012 -0400

    Re-instate security group delete test case

    While fixing lp#956366, we realized that it's fine to delete a security
    group referenced by an ingress rule of another security group because
    the ingress rule gets deleted.

    Re-instate the test for this specific case, but test that the ingress
    rule gets deleted rather than an exception being thrown.

    Change-Id: I81ad16431f5f8f13561dfcb320213366e1e8864e

Changed in nova:
status: Fix Released → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/5881

Thierry Carrez (ttx)
Changed in nova:
milestone: essex-rc1 → essex-rc2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (milestone-proposed)

Reviewed: https://review.openstack.org/5881
Committed: http://github.com/openstack/nova/commit/fd0ea778b0fd5932f1ca22de57cb6c872ed5b58f
Submitter: Jenkins
Branch: milestone-proposed

commit fd0ea778b0fd5932f1ca22de57cb6c872ed5b58f
Author: Mark McLoughlin <email address hidden>
Date: Thu Mar 15 22:52:49 2012 -0400

    Re-instate security group delete test case

    While fixing lp#956366, we realized that it's fine to delete a security
    group referenced by an ingress rule of another security group because
    the ingress rule gets deleted.

    Re-instate the test for this specific case, but test that the ingress
    rule gets deleted rather than an exception being thrown.

    Change-Id: I81ad16431f5f8f13561dfcb320213366e1e8864e

Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: essex-rc2 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.